Beginning May 2016 Cornell AWS accounts are setup with AWS Direct Connect (DC) joining the campus 10-space network to the 10-space network in Cornell Standard AWS VPCs. Prior to that accounts were setup with VPN connection back to campus.
FAQs
What is the difference in performance between the Direct Connects and a VPN connection.
We don't have tons of data on that. Generally, we find that overall realized speed is similar between VPN and DC connections, but that the DC connection has less variability. Here's an example:
- VPN ping statistics:
rtt min/avg/max/mdev = 17.749/18.319/19.348/0.458 ms
- DC ping statustics:
rtt min/avg/max/mdev = 14.873/15.005/15.188/0.139 ms
See
https://en.wikipedia.org/wiki/Ping_(networking_utility) for interpreting ping output.
What are the physical details of Cornell's Direct Connect to AWS?
The primary DC connection is a 1Gbit/s connection. The backup connection is a 200Mbit/s connection. They use geographically separate routes to reach AWS.
Is the DC monitored?
Yes. The CIT Infrastructure Team monitors the performance and utilization of the primary and secondary links. You can monitor it yourself too using these URLs:
- Primary Cornell Direct Connect to AWS us-east-1: http://mrtg.cit.cornell.edu/wan/WorkDir/aws1-mx.512.html
- Backup Cornell Direct Connect to AWS us-east-1: http://mrtg.cit.cornell.edu/wan/WorkDir/aws2-mx.513.html
Can the DC bandwidth be increased if utilization becomes heavy?
Yes, there is an upgrade path should that become necessary.
We upgraded the secondary path from 100Mbits/s to 200Mbits/s in November 2019.
As of August 2021, we have had only once instance where the primary Direct Connect circuit was briefly saturated with AWS-bound traffic. It looked like this (blue is AWS-bound, green is campus-bound):
What are the requirements for using Direct Connect?
Your AWS VPC must be using a Cornell private network registered in DNSDB and allocated specifically to your group by the Network Engineering and Cloud teams.
What traffic is routed through the DC?
There are three choices. See diagrams in AWS Direct Connect Routing Diagrams.
RFC1918 Routing
For Cornell AWS accounts with DC configured for RFC1918 routing, only 10-space traffic (specifically 10.0.0.0/8) is routed from on-campus 10-space to 10-space addresses in Cornell Standard AWS VPCs. This means that traffic from servers and clients with (only) public campus IP addresses cannot access the 10-space networks in a Cornell Standard AWS VPC.
All Campus Routing
For Cornell AWS accounts with DC configured for "All Campus" routing, traffic from campus 10-space as well as traffic from public campus IPs is routed through the DC to the Cornell Standard AWS VPC. This routing can be problematic if you intend to deploy services available to the world in your Cornell Standard VPC.
The campus public IP space consists of the following:
- 128.84.0.0/16
- 128.253.0.0/16
- 132.236.0.0/16
- 192.35.82.0/24
- 192.122.235.0/24
- 192.122.236.0/24
Hybrid Routing
Similar to the "All Campus Routing" above, this configuration brings all of the Cornell campus IP space (10-space and public addresses) over the Direct Connect. Where it differs is in the individual subnet route tables:
- Private Subnets: AWS subnets without direct Internet access should use a route table that includes all propagated routes from the Direct Connect (includes campus 10-space and public space).
- Public Subnets: AWS subnets with direct Internet access (IGW) should use a route table that disables route propagation from Direct Connect and only includes references to campus 10-space addresses.
Can I change the traffic routed through DC?
The configuration for Cornell campus traffic routed through Direct Connect to your VPC can be altered should your needs change in the future. Moving among the routing options ("RFC 1918", "All-Campus", "Hybrid") may require a review of your subnet route tables to ensure a smooth transition without any negative side-effects.
Can Cornell AWS accounts configured to use a VPN connection be upgraded to use the DC?
Yes. Contact cloud-support@cornell.edu to request that change. The change will require a brief outage of 10-space routing so advanced planning is required so that access to your cloud-based services are not disrupted.
I got a notice from AWS about maintenance for my Direct Connect connection. Will connectivity be down during that maintenance window?
No. During maintenance outages of the primary Direct Connect physical connection, Direct Connects for AWS account will automatically use the secondary Direct Connect connection.
Is there a Disaster Recovery Plan for our Direct Connect connectivity?
There is no specific DR plan for our Direct Connect connectivity, beyond the high availability configuration we now have. We are seeking information from the leased line providers to see how fast they would be able to upgrade our current 100Mbit/s secondary connection to 1Gbit/s if our primary Direct Connect path fails and is expected to be offline for a while. Note too, that since the current Direct Connect lines are piped directly to the us-east-1 AWS region, our Direct Connect connectivity might be useless in a scenario that involves failure of that entire region.